From Fedora Project Wiki

Anaconda Realm Integration

Summary

Kickstart will have a 'realm join example.com' command, to join the machine during install to an AD or FreeIPA domain. This will take place using one time passwords or password-less joins to an AD or FreeIPA domain.

Owner

Current status

Detailed Description

realmd is an on demand system DBus service, which allows callers to configure network authentication and domain membership in a standard way. realmd discovers information about the domain or realm automatically and does not require complicated configuration in order to join a domain or realm.

By integrating realmd with Kickstart and Anaconda, administrators will be able to add machines to a domain en-masse. This can be done without leaking administrative domain credentials into the kickstart fail.

In addition there will be a GUI for joining a domain during the anaconda install process.

This will be implemented as an Anaconda addon, to help keep the scope and base feature set of Anaconda in check.

Benefit to Fedora

Provides a best-practice standard way to deploy Fedora machines on an Active Directory or FreeIPA domain. realmd was integrated in Fedora 18, and this builds on that feature.

Scope

A new anaconda addon will be created. This addon will be distributed with the Fedora distribution by default.

How To Test

Precreate a computer account in an Active Directory domain with the adcli tool:

$ adcli preset --user=AdminUser --verbose --domain ad.example.com --one-time-password=MyPassword machine

Add the following lines to a kickstart file (which already has basic kickstart contents, sets up network, etc...):

network --hostname=machine.ad.example.com
realm join --one-time-password=MyPassword ad.example.com

Further testing documentation to follow.

User Experience

Administrators will see a new kickstart command to include in their kickstart files. Users will see the option to join a domain in the installer.

Dependencies

  • pykickstart
  • anaconda
  • realmd

Contingency Plan

If the Anaconda GUI parts cannot be completed in time, then the kickstart command will be delivered without the GUI bits.

This is being developed as an addon. This makes it very simple to remove the feature as a contingency.

Documentation

Documentation to follow.

Release Notes

  • Fedora can now join a domain from a kickstart file, using one time passwords and a simple syntax.

Comments and Discussion